snakeyaml upgrade

Question

magicprinc opened this issue 5 months ago · comments

org.yaml:snakeyaml:1.30 is old and has 7 vulnerabilities

Is it time to upgrade?

Roberto Cortez · Answer 1 · Tue May 07 2024 19:43:47 GMT+0800 (China Standard Time)

Are you on an old version of Smallrye Config?

We updated to 2.2 in 3.5.0:
#985

Andrej Fink · Answer 2 · Wed May 08 2024 01:54:00 GMT+0800 (China Standard Time)

Crazy situation!
I have had io.smallrye.config:smallrye-config-source-yaml:3.8.1, but org.yaml:snakeyaml:1.30.

Spring Boot 2 Gradle plugin has somehow been forcing 1.30.
But IDEA Gradle dependency inspector was showing 1.30 was coming from Smallrye Config.

I have explicitly added dependency org.yaml:snakeyaml:2.2 to fix this.

Sorry and thank you!